Trouble getting pfsense + openvpn + edgerouter-x working

rugggg · Dec 2, 2018, 2:37 AM

Been banging my head against a wall for a few days now attempting to set up a pfSense instance in a dell r210ii recently acquired. Goal is to run all traffic on home network through the pfSense box, with certain VLANs routing out to the vpn and some to the clearnet gateway.

I've largely followed: https://nguvu.org/pfsense/pfsense-baseline-setup/

I've checked and triple checked my configurations on pfSense and er-x.

ISP is ATT U-Verse with a Pace 5268ac rox that only supports a "DMZ+" mode which is basically bridging.

Using OpenVPN to connect to AirVPN and that connection is showing all green.

Using the ER-X as a managed, vlan-aware switch behind the pfSense box, which is behind the ATT box(need ATT box to get service).

I can not get any internet connectivity on the VPN interface (vlan 20).
At points, connectivity has been present for clearnet(vlan30), but it has been inconsistent.
I suspect that the issue is somewhere in my NAT rules, or the ATT box is a POS and is ruining all my hopes and dreams.

Thanks for help in advance

NAT

WAN Firewall rules

LAN Firewall

VLAN 20 VPN Firewall rules

VLAN 30 Clearnet rules

VPN_WAN interface firewall rules

Interfaces

EdgeRouter-X Config:

stephenw10 · Dec 2, 2018, 5:46 PM

Your pfSense config looks OK, at least the parts we can see. Your DNS setup there may not be good be you should be able to ping out by IP at least from the VLAN subnet.

I'd have to guess your edge router config is bad but it's the first time I'm ever looking at one.
What exactly is it supposed to be doing? How is it connected?

Steve

rugggg · Dec 3, 2018, 8:44 PM

@stephenw10 I neglected to mention that I am able to ping out, dns is fine it seems.

The edgerouter should be acting as a vlan aware switch, from what I've seen this is possible with the erx.

Eth 1,2,3,4 should be configured as a part of switch 0. Leaving eth0 for connecting for confirmation for now.

Eth1 - trunk to pfsense box
Eth2 - hardwired VPN (vlan 20) port
Eth3 - hardwired clearnet port (vlan 3)
Eth4 will be going to an access point, but have not set that up yet.

It's quite possible that the erx is the issue, the configuration is a little weird for me.

Anything on eth2 from the client machine should be tagged as vlan20, same for vlan 30 and eth3.

stephenw10 · Dec 4, 2018, 2:15 AM

Hmm, well reading this it does appear to be correct at least in terms of the VLAN config.

Do you have DHCP enabled on those interfaces in pfSense? And are clients connected to the edgerouter pulling an IP in the correct subnet? If so the VLAN setup is probably correct.

In which case can we see your outbound NAT rules?

Steve

rugggg · Dec 4, 2018, 2:15 AM

@stephenw10 Yup, dhcp is good, clients get an ip in the correct subnet.

Here's the outbound NAT:

Starting to think I need to just bypass this ATT box...

stephenw10 · Dec 4, 2018, 3:12 PM

Hmm, OK. That should work.

I'd probably run some packet captures on WAN the OpenVPN interface when trying to ping out to IPs that shoulkd be reachable over each from VLAN 20. See what traffic is actually going where and what replies, if any, are returning.

Steve